โ‚น INR
Open console

guides

Instance Connect

Instance Connect pushes a short-lived public key to the VM each time you connect, so you never have to distribute long-lived keys.

Last updated ยท 22 May 2026

Instance Connect lets you SSH into an Excloud VM without ever distributing a persistent public key to the instance. Every session pushes a fresh one-time key (typically valid for ~60 seconds), which is consumed by the next SSH handshake. Concept is the same as AWS EC2 Instance Connect; the implementation is Excloudโ€™s own.

The benefits:

  • Keyless access โ€” nothing to rotate, nothing to revoke off-host.
  • Audited โ€” every connect call goes through IAM (compute:instance:connect) and is logged with the requesting identity.
  • Short blast radius โ€” even if a session key is captured in transit, itโ€™s already useless by the time anyone notices.

Quick connect

If you have the exc CLI installed and are authenticated:

exc compute connect --vm_id 42 --user ubuntu

That single command:

  1. Asks the compute API for a short-lived key pair scoped to VM 42 and the ubuntu user.
  2. Pushes the public half to the VM.
  3. Opens an interactive SSH session using the private half.
  4. Discards the keys when the session ends.

For one-off commands instead of an interactive shell:

exc compute exec --vm-id 42 --command 'systemctl status nginx'

To transfer files:

exc compute scp --vm-id 42 --src ./deploy.tar.gz --dst /tmp/deploy.tar.gz

For the other direction (remote โ†’ local), add --download:

exc compute scp --vm-id 42 --download --src /var/log/syslog --dst ./syslog

To open a serial console (useful when SSH is broken):

exc compute console --vm_id 42

Required permissions

The caller needs compute:instance:connect on the target VM. The default Admin policy grants this. For a least-privileged operator role:

{
  "Version": "2024-03-05",
  "Statements": [
    { "Effect": "Allow", "Action": "compute:instance:connect", "Resource": "exc:compute:instance/42" }
  ]
}

Replace 42 with the instance ID, or use exc:compute:instance/* for any VM in the org. See the Policies guide.

Older VMs

On Debian/Ubuntu:

# 1. Trust the Excloud package repository
curl -fsSL https://repo.excloud.in/RepoKey.gpg \
  | sudo gpg --dearmor -o /usr/share/keyrings/excloud-apt.gpg

# 2. Add the repo
echo "deb [signed-by=/usr/share/keyrings/excloud-apt.gpg] \
  https://repo.excloud.in stable main" \
  | sudo tee /etc/apt/sources.list.d/excloud.list

# 3. Install
sudo apt update
sudo apt install exc-instance-connect

Once installed, the agent runs on demand โ€” no daemon to keep alive.

How it works under the hood

  1. exc compute connect calls POST /compute/instance/connect, passing the VM ID and the desired Linux user.
  2. The compute API generates an ephemeral SSH key pair, pushes the public half to the VM through Excloudโ€™s internal control channel, and returns the private half to the CLI.
  3. The CLI uses the private key to open a normal SSH session. The public key expires server-side after a short window, so even a leaked private key has a brief useful life.
  4. There is also a WebSocket variant at GET /compute/instance/connect/ws/:id used by the browser console.

You can perform step 1 yourself from any HTTP client โ€” see the Compute Swagger UI โ€” and then use the returned key with ssh -i directly. Thatโ€™s how exc compute connect works internally.